Skip to content

Instantly share code, notes, and snippets.

@Pross Pross/denyhosts.php
Last active Dec 16, 2015

Embed
What would you like to do?
DenyHosts for wordpress
<?php
/*
Plugin Name: DenyHosts
Plugin URI: http://pross.org.uk
Description: Block bad login attempts.
Version: 1.0
Author: Pross
*/
class DenyHosts {
var $block_init = 1; // set to 1 to check bans on init action too.
function __construct() {
if( $this->block_init && '/wp-login.php' == $_SERVER['REQUEST_URI'] )
add_action( 'init', array( &$this, 'check_bans' ) );
add_action( 'login_head', array( &$this, 'check_bans' ) );
add_action('wp_login_failed', array( &$this, 'failed_attempt' ) );
}
function check_bans() {
$data = get_option( 'denyhosts_bans', array() );
$ip = $_SERVER['REMOTE_ADDR'];
if( $data[ $ip ] )
$this->block();
}
function failed_attempt() {
$data = get_option( 'denyhosts_temp', array() );
$ip = $_SERVER['REMOTE_ADDR'];
if( $data[ $ip ] > 3 )
$this->add_ban( $ip );
if( isset( $data[ $ip ] ) )
$data[ $ip ]++;
else
$data[ $ip ] = 1;
update_option( 'denyhosts_temp', $data );
}
function add_ban( $ip ) {
$data = get_option( 'denyhosts_bans', array() );
$data[ $ip ] = 1;
update_option( 'denyhosts_bans', $data );
$temps = get_option( 'denyhosts_temp' );
unset( $temps[ $ip ] );
update_option( 'denyhosts_temp', $temps );
wp_mail( get_option( 'admin_email' ), 'IP BLOCKED', sprintf( 'IP: %s has just been blocked on %s. Total IPs blocked: %s', $ip, get_option( 'blogname' ), count( $data ) ) );
$this->block();
}
function block() {
if( $this->block_init ) {
header("Status: 403 Forbidden");
die( '<h1>Access Denied.</h1>');
}
?>
<style type="text/css">html{background:#f9f9f9;}body{background:#fff;color:#333;font-family:sans-serif;-webkit-border-radius:3px;border-radius:3px;border:1px solid #dfdfdf;max-width:700px;height:auto;margin:2em auto;padding:1em 2em;}h1{border-bottom:1px solid #dadada;clear:both;color:#666;font:24px Georgia, "Times New Roman", Times, serif;margin:30px 0 0;padding:0 0 7px;}#error-page{margin-top:50px;}#error-page p{font-size:14px;line-height:1.5;margin:25px 0 20px;}#error-page code{font-family:Consolas, Monaco, monospace;}</style></head>
<body id='error-page'>
<?php printf( '<h1>Access Denied!</h1><p>Your IP <strong>%s</strong> has been blocked and logged.</p></body></html>', $_SERVER['REMOTE_ADDR'] );
exit();
}
}
new DenyHosts;
@nodesocket

This comment has been minimized.

Copy link

nodesocket commented Apr 25, 2013

In the function block(), maybe you should return a proper status code as well, instead of returning 200.

header("Status: 403 Forbidden");
@Pross

This comment has been minimized.

Copy link
Owner Author

Pross commented Apr 26, 2013

Yea i thought of that, but if its on the login page, headers are already sent.

@Pross

This comment has been minimized.

Copy link
Owner Author

Pross commented Apr 26, 2013

Actually yea, updated with a 403 if its set to block on 'init'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.